Personally I use these:
Web developer which allows me to change the css styling of this website, which can help with readability issues with the coloring on this site.
No script dont usually trust scripts for the most part.
Tamper Data for your basic HEADER / GET / POST fun.
Firebug allows viewing XMLHTTPRequests among viewing hidden/generated body content.
User-Agent Switcher see different page rendering given different user-agents.

I have all you have minus the No script one.
Also:
DOM inspector - lets you easily edit the DOM
QuickJava - easily enable/disable java/javascript
Greasemonkey - create custom scripts to run on specified sites
Add 'n Edit cookies - uhm.. isn't it obvious?
Adblock - you should know this one.
View Source Chart - views the source code of a page as it currently is in the memory (after being affected by JS etc)
NewsFox - RSS reader (though I have edited display.xul because some things bugged me)
Reload Tab On Double-Click - obvious
AutoCopy - Select text on any web page and it will be automatically copied to the clipboard
CustomizeGoogle customise google, gmail, google images and the rest to fix the little quirks you hate.

Not including my Greasemonkey scripts or my scriptlets or my configuration changes, here's pretty much what I use:

Adblock - great for turning on and off just about anything
Autocopy - cuz I'm still used to xterms even after all these years of not using them
IE View - I need to do so much testing it's invaluable
CustomizeGoogle - I use it for the image search, actually, it's about 10,000 times better, plug I get to turn off Google ads, which is nice, since I've never been a fan of page weight.
Web Developer - I have it for a number of reasons, but I love it for showing me what JavaScript is doing to the DOM. Pretty useful - although I don't use it much.
SwitchProxy Tool - I often switch between proxies for various IP based testing and for routing traffic over SSL proxies (to bypass content filters).
Greasemonkey - I do lots of greasemonkey tests because it's easier than writing full blown plugins.
IE Tab - for the same reason I have IP View, except sometimes I just want it embedded.
JS View - It comes in handy when you want to see all the JavaScript or CSS on a page and nothing but it.
Server Switcher - useful if you have a dev and beta environment and you just want to quickly switch between them.
ViewSourceWith - because I got really annoyed about not being able to edit the source on the fly inside Firefox's default view source viewer. I actually hate this plugin though, because it's pretty glitchy when it comes to data in text boxes. Avoid it.
FirefoxView - For the same reason I have IE Tab and IE View (I never use it though)
QuickJava - Probably one of my most used tools. I nearly always have at least Java turned off and most of the time JavaScript too. Switching back and forth is painful without it.
Flashblock - Very useful for reducing page weight and solves the Expect vulnerability issue. ;)
SearchStatus - Provides some basic SEO functionality, including pagerank, Alexa ranking, and some search engine stuff. It's alright, but I find I have it turned off more than I have it turned on for security reasons since Alexa and Google pagerank are spyware.
SEOpen - Does lots of the same stuff SearchStatus does minus some of the spyware (and hense some of the functionality). I don't use it much.

Seriously though the most important one for me is session saver, I am adapt at crashing my browser at least once a day, or just lazy and close the whole thing with the expectation of starting back where I was.

Dave, why is that? Is it built in? I just haven't had time to play with it. I talked with the Mozilla guys and they seem excited about it. Mostly I talked about the anti-phishing stuff with them, not about any of the additional changes so I'm really not up on the future release.

As I read in my favourite newsticker (German) http://www.heise.de/newsticker/meldung/76999 it is built in. The anti-phishing stuff sounds not really convincing to me. Okay, for most (dumb) users it can be helpful, but I'm sure it becomes like "Oh, the adress bar didn't change the color, this site must be trustworthy. Here are my tans..."

I'm not exactly up on my German, so thanks for pointing the article out.

I'm always a little wary of blacklist style anti-phishing technology, but something is better than nothing. I didn't get word on how XSS might effect it, and I haven't played with it myself, but it will be interesting to see.

Really, even if it completelly sucks, and IE7.0's version is no better, I still think the name of the game is time from detection to getting it to people's desktops. If it only updates once a week that's way too slow. If it updates after ten minutes of being logged in, that could still be too slow because some people don't instantiate their browser until they click on a link in an email. How fast can the propagation engines work? In some sense you're always going to have the sacrificial user who has to alert you of the Phishing site the first time, but limiting that exposure would be good.

Oh yes, I think most of us have tamperData, very handy.
Though I have to say that equally useful is the Proxomitron. It's a proxy server which you can forward any browser throuh (any program actually, as long as it allows HTTP proxies) and change stuff according the pre-set regexs. Very useful.

To overlay an existing XUL element, you first need the URL of its chrome. Extentions use XUL to specify how the UI should look. It's kind of like XHTML but tags customised for UIs as opposed to web sites.

Once you have the chrome you can check if it exists or not go here and you'll get a new tool bar:
chrome://browser/content/
Or if you have user agent switcher this will open it up:
chrome://useragentswitcher/content/about/about.xul
Or here for greasemonkey:
chrome://greasemonkey/content/manage.xul

You want an easy way to find the chrome urls? install grep if you don't have it. grep chrome:// * -S

Generally people don't go around showing off chrome URLs because technically they aren't really supposed to be controlled by the website you are visiting, but some plugins issue it because it's something they want to show you in context of the browser, which itself is really a rendering engine (plugins are CSS in context of a frame that sits outside of the frame that you are visiting a website in). That's probably why you haven't heard of it.

has anyone else gotten XSS'd by firebug? I've been using a bit and the browser never generates the javascript alert but when i open it up in firebug and i click the element its located in, boom an alert comes up. Weird maybe its a bug or something =p

hrmn one of the only technology-functional extensions i haven't been running is the user-agent one. i'm going to download that in a few minutes and check that out. i've been manually changing my UA to XSS or other oddities for awhile now.

i do cookie control and most other controls through the web developer extension. unless i'm mucking with stuff, i normally just run firefox in -safe-mode or use opera or konquerer.

note that in firefox 2.0 extensions are called add-ons, and some don't work unless you use the Mr Tech Local Install (1) extension or the nightly builds extension (but i usually go for releases).

I also use MAF (2) , which is invaluable when working on stuff offline. I recently started using the anti-phishing extensions from http://crypto.stanford.edu/antiphishing/ which do things that many other ones (netcraft toolbar, earthlink scamblocker, et al) don't.